News Tech

Find the insidious rules that eavesdrop users emails

Nimblr have been getting more and more reports of organizations who are affected by fraud where payment information sent by e-mail from trusted senders has been modified. The approach is not new, but remains an effective method of stealing both money and goods. Most attacks occur in an Office365 environment, but similar attacks have been noticed in Google Workspace.

The attack is initiated by the attacker gaining access to a users email account, often through a fake login page where the user enters their password in good faith. The attacker uses the password to log in to the victim’s webmail. There, the attacker creates e-mail rules that forward or copy the e-mail communication to an external e-mail address.

In some cases, the rules are based on specific criteria, such as to forward only emails that contain the word “invoice” or “payment”. In some of the attacks that Nimblr has studied, the e-mail does not reach the intended recipient until after the attacker has had the opportunity to modify the content.

Once the insidious email rule is in place, it’s just for the attacker to wait for the right opportunity. By invisibly examining the victim’s communication, the attack can last for a long time, and so when e.g. a delivery address or a payment information is mentioned, the attacker strikes and modifies the details about bank account numbers or the like. Often the attack is not detected until the supplier asks where the payment for a particular order has gone, or when the customer asks for his goods.

As an administrator, it’s a good idea to review the rules that are configured in users email clients. The easiest way is to run a powershell script in an Exchange server or Office 365 instance. The script below lists all users who have forwarding enabled:

$Mailboxes = Get-Mailbox -ResultSize Unlimited
ForEach ($Mailbox in $Mailboxes)
$MailboxWithRule = Get-InboxRule -Mailbox $Mailbox.Alias |
where {
($_.RedirectTo -ne $null) -or ($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null)
if ($MailboxWithRule -ne $Null)
Write-Host ”The following users have forwarding rules $($Mailbox.PrimarySmtpAddress)” $MailboxWithRule |
fl Name, Identity, RedirectTo, ForwardTo, ForwardAsAttachmentTo

As an end user, you may keep an eye on the rules in the e-mail client by, in Outlook, clicking on File and select Manage Rules & Alerts to display active rules.